Monday, March 21, 2011

Where have all the (old) hard drives gone?

If you can't come up with an answer other than "long time passing," you may have a problem.

The State Comptroller of New Jersey recently recently released an audit report detailing problems in the state's disposal of surplus computer equipment. The state requires that its agencies degauss (i.e., use a powerful magnet to obliterate data) the hard drives of all surplus computers prior to disposal, but the auditors found that many state agencies were not complying with this policy. They examined a lot of 58 desktop computers and hard drives, some of which were to be auctioned off to the general public within a short time, and discovered that 46 of the drives still housed readable data. Some of the data was legally restricted and could have damaged citizens' lives or the state's information technology infrastructure if disclosed [p. 10-11]:

More than 230 files related to State investigative case screenings and reports of child abuse, endangerment and neglect. Many of the reports contained the names and addresses of the children. The files also included a child fatality report, child immunization records and a child health evaluation.

Information identifying the user of the hard drive as a high-level State agency official, internal agency memoranda, internal written briefings for an agency Commissioner, draft documents, personal contact information for multiple members of the then-Governor’s cabinet, and work plans for individual staff members.

A list of vendor payments referencing names of children and names, addresses and phone numbers of children placed outside of the parental home, along with case information.

A Microsoft Outlook e-mail archive containing 46 e-mails, including one listing multiple users’ computer sign-on passwords, as well as 11 personnel reviews for State employees that included their Social Security numbers.

A laptop computer that had been used by a judge who worked both at home and in an office also contained an array of legally restricted or otherwise sensitive information [p.7]:

The judge’s life insurance trust agreement, his tax returns for three years and a final mortgage payment letter that included the address of the property and the account number.

Two documents with the judge’s Social Security number.

A “confidential fax” to the New Jersey Lawyers Assistance Program concerning an attorney’s “personal emotional problems."

Non-public memoranda by the judge concerning potential impropriety by two attorneys.

The results of this audit propelled the Office of the State Comptroller, which oversees the auction of surplus state computers, cellular phones, and other equipment, has suspended the auctioning of hard drives and computers, but it's quite likely that hard drives containing readable data have been auctioned off in the past.

What an ugly state of affairs. However, those of us who work in large organizations are all too accustomed to having our old computers "taken away" by "the IT people" who configure our replacement machines and assuming that "the IT people" will dispose of them properly. Those of us who work in smaller organizations may not think about what happens to computers that are offered up for recycling or reassigned to interns or volunteers.

This state of affairs must change. Those of us who work with legally restricted or "sensitive" materials have to raise questions about what happens to our old desktops, make our managers aware of the potential consequences of not disposing of such equipment properly, ensure that existing disposal policies are actually observed, and, in the absence of existing policies, push for creation and enforcement of appropriate policies. Those of us who are archivists or records managers have a particular obligation to raise these issues and educate our customers, and those of us who do hands-on work with archival electronic records must ensure that old hardware and portable media is purged of any legally restricted or "sensitive" records prior to disposal. And, of course, we are all responsible for purging the hard drives of the computers that we purchase for our personal use prior to disposing of them.

How do you ensure that your hard drives (or other digital storage media) don't contain any recoverable data?

Remove them and destroy them. If I had a hammer, I'd hammer hard drives in the morning, I'd hammer hard drives in the evening, all over this land. Seriously, a 40-oz. hammer will do the job quite nicely. One county in New York State slices through its surplus drives with a plasma cutter. Some large organizations and computer recycling facilities have special shredders that can handle hard drives, data tapes, optical discs, and floppies, and many home and office shredders can destroy small quantities of floppy disks or optical discs (watch out for the resulting shards of plastic!) The options are endless. Of course, if you want to re-use the hard drive or give it to someone else, destruction is not a good option.

Degauss them. As noted above, degaussing involves exposing magnetic storage media to a strong magnetic current and thus obliterating the data they contain. Degaussing almost always renders hard drives completely unusable, so it's not a good option for people who want to re-use them or give them away. Degaussing equipment also requires an upfront investment ranging from several hundred to several thousand dollars, so it may not be a practical approach for individuals or organizations that do not regularly dispose of storage media; however, some firms rent degaussing equipment, and others may degauss small quantities of media for a fee.

Overwrite them. There are a number of software applications, including some open source options, that will repeatedly overwrite all of the data on your hard drive(s) with zeroes or, better yet, a numeric pattern and verification mechanism, thus rendering the data unrecoverable. This process may be time-consuming, but overwritten hard drives can be reused. If you're interested in overwriting the data on your personal computer's hard drive, check out the nice overview that Gizmodo posted about a year ago; it explains the readily available options for sanitizing hard drives, flash memory cards, and USB keychain drives. If you're responsible for disposing of hard drives that contain legally restricted or national security information, make sure that you comply with any applicable standards and policies governing the use of overwriting software.

No comments:

Search l'Archivista

About l'Archivista

. . . is Bonnie Weddle, a mildly workaholic electronic records archivist. This blog is a (partial) record of the life of a working archivist, and in it you'll find information about electronic records issues, government transparency, open records laws, archival security, New York State history, and other abiding concerns. And because even a workaholic archivist needs to get out of the processing room every now and then, you'll find the occasional travelogue and off-topic post.

Caveat lector

This blog is an evening and weekend project, and its content reflects my own opinions and, occasionally, the opinions of other people. It does not in any way officially represent the views of my employer or any professional organization in which I am involved. Moreover, it is a perpetual work in progress. Older posts may not reflect my current views or level of knowledge.